On Fri, 2013-11-29 at 16:51 +0100, Petr Viktorin wrote: > I've updated the design with > - updated schema (this time the OIDs are even reserved properly!) > - longer attribute descriptions with examples > - updated update algorithm based on discussion with Simo
Hi Petr, thank you for the update. > Additionally, I've updated draft designs this one references [0, 1]. The > CLI/API parts of those aren't finished but the LDAP should be ready for > criticism. It would be very nice if you can add the resulting LDAP objects in the example, that will allow me to reason on the correctness of the translation. > For examples, I felt that anything I show as an example should also go > in the test suite, so I added the tests. (If you're into wiki design I'd > appreciate ideas about how to make that section better.) > If you need any more examples, or see some dangerous corner cases, tell > me and I'll add them. > > There is still a race condition when the subtree changes, e.g. when > you'd move an ACI from $SUFFIX to cn=users,cn=accounts,$SUFFIX, the > rights are revoked between the times the ACI is removed and re-added. > At this point I'd rather document it and file a bug (and possibly start > working on it right after this) than redo the internals in yet another > way in the same update. I think that this will be fine, *after* we change the default mode to deny everything, and rely on permissions to allow. This way the lack of an ACI will deny (not permit!) access to arbitrary attributes. > [0] http://www.freeipa.org/page/V3/Anonymous_and_All_permissions > [1] http://www.freeipa.org/page/V3/Managed_Read_permissions > > > PS. the hack I used to generate the test plan for mediawiki is here: > https://github.com/encukou/ipa-tools/blob/master/mw-format-tests.py Haven't read all the way through thetest code, but having tests is excellent. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel